News Archives

Sunday, November 29, 2015

Update on the CJEU’s Safe Harbor Decision

As we reach the end of November, an update is in order on the
rapid-paced and continuing fall-out from the Court of Justice of the European
Union’s October 6 ruling in the Schrems case.
Over the past month or so, the main developments have been as follows:

The EU
Parliament LIBE committee issued a press release condemning mass
surveillance in the US and in some member states and calling upon the European
Commission to take action before the end of 2015 to come up with alternatives
to Safe Harbor (Oct. 13).

The Schleswig-Holstein
DPA announced that data transfers to the US based upon model contracts should
be terminated or suspended (Oct. 14).

DPAs in Bemen
and Berlin confirmed that they agree with their colleague in
Schleswig-Holstein on the unacceptability of model contracts as an alternative
to Safe Harbor (Oct.15).

The Article
29 Working Party issued a statement calling for a “robust, collective and
common position” on implementing Schrems; pledging to review the viability of model
contracts and BCRs, while noting that they can in the meantime still be used
absent particular circumstances; and warning that it would “take all necessary
and appropriate actions, which may include coordinated enforcement actions” if
a solution is not found with US authorities by January 31, 2016 (Oct. 16).

Calling for recognition that privacy is a fundamental human right, the President
and Chief Legal Officer of Microsoft
proposed four steps to resolve the impasse over trans-Atlantic data transfers
(Oct. 20).

The US
House of Representatives passed the Judicial Redress Act that would extend
to foreigners the same rights to judicial redress as US citizens have in law
enforcers violate their privacy (Oct. 21).

The Swiss
DPA announced that data transfers to the US could no longer be based upon the
US-Swiss Safe Harbor framework (Oct. 22).

The European
Union announced that it had struck a deal “in principle” with the US on a
new data-sharing agreement to strengthen Safe Harbor, a deal involving greater
oversight by the Dept. of Commerce and a review
by European officials of access to transferred data by US security and law
enforcement agencies (Oct. 27).

Oracle
revealed that it is now keeping all data regarding European citizens within the
EU (Oct. 28).

The US
Commerce Secretary said that a solution she called “Safe Harbor 2.0” is “totally
doable” and will be coming “shortly” (Oct. 29).

The EU
Parliament re-iterated its concerns about mass surveillance in the US and
in Europe, called for a report by the Commission by the end of 2015 and urged
member states to grant whistle blower status and protection to Edward Snowden
(Oct. 29).

Large US companies such as Facebook
and Airbnb said that they rely upon transfer mechanisms other than Safe
Harbor (Nov. 1).

The Spanish
DPA (AEPD) announced that it had sent a letter to all companies operating
in Spain that had previously notified the AEPD of cross-border data transfers
to Safe Harbor certified companies, given them until January 29, 2016 to inform
the authority of what mechanisms for data transfers they were now using (Nov.
3).

The European
Commission issued a communication about the Schrems decision stating that
model contracts and BCRs can still be used while discussions proceed with the
US (Nov. 6).

Microsoft
announced that in conjunction with Deutsche Telekom it will be offering cloud
services from Germany and other EU member states that will be beyond the reach
of US authorities.Other cloud vendors
such as Amazon, Google and Syncplicity are also ramping up their opening of data
centers in Europe (Nov. 11).

A group of 40
privacy groups from both Europe and the US said that the proposal for a new
data transfer agreement is insufficient to protect privacy and will likely be
struck down by regulators and Europe's high court (Nov. 16).

It is worth noting that no significant developments relevant to Schrems
and Safe Harbor have been reported during the last two weeks, the likely reason
being the November 13 terrorist attacks in Paris. Although some believe, or hope, that the attacks
are shifting the pendulum from privacy to security, it is difficult to see how they
impact or change the current EU-US legal impasse over data transfers.

Meanwhile, the clock continues to click towards the January 31, 2016
deadline, as massive a date in the data protection community as Y2K was a
decade and a half ago for society in general.
However, the chances that January 31 will be as much a non-event as Y2K
proved to be are very small. Whether we
see a successful conclusion to the Safe Harbor 2.0 negotiations or not, the
next few months are going to be memorable and consequential.